fix(timezone): Only set time zone if current user can edit content

If this module is included in a controller out of the Alchemy::Admin scope we need to make sure we do not set the time zone.

Author: tvdeyen

lib/alchemy/admin/timezone.rb

@@ -6,7 +6,7 @@ module Timezone
       extend ActiveSupport::Concern
 
       included do
-        around_action :set_timezone
+        around_action :set_timezone, if: -> { can?(:edit_content, Alchemy::Page) }
       end
 
       private

spec/lib/alchemy/admin/timezone_spec.rb

@@ -13,6 +13,10 @@ def index
     private
 
     attr_reader :current_alchemy_user
+
+    def can?(*)
+      true
+    end
   end
 
   let(:original_timezone) { Time.zone.name }
@@ -97,5 +101,26 @@ def index
       get :index, params: {admin_timezone: "Hawaii"}
       expect(Time.zone.name).to eq(original)
     end
+
+    context "when user cannot edit content" do
+      controller(ActionController::Base) do
+        include Alchemy::Admin::Timezone
+
+        def index
+          render plain: Time.zone.name
+        end
+
+        private
+
+        def can?(*)
+          false
+        end
+      end
+
+      it "does not set the timezone" do
+        get :index, params: {admin_timezone: "Hawaii"}
+        expect(response.body).to eq(original_timezone)
+      end
+    end
   end
 end